Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT/Embedded Security //


08:05 AM
Larry Loeb
Larry Loeb
Larry Loeb

FBI Knocks Out VPNFilter Malware That Infected 500K Routers

The VPNFilter botnet malware spread to 500,000 globally before the FBI knocked it out late in the day on May 23. However, it's another skirmish in the cyberfight between Russia and Ukraine.

It's been a busy few days for a sophisticated piece of botnet malware dubbed VPNFilter.

First, the Secret Service of Ukraine issued a warning about a botnet that had taken over 500,000 routers and Network Attached Storage (NAS) devices, infecting them with some of the most sophisticated malware ever seen used in a botnet.

Then, Cisco Talos and Symantecissued a descriptive warning about the situation and the malware which two firms called VPNFilter. The botnet was seen growing, and exhibited curious behavior in that it seemed to be seeking Ukrainian hosts -- even though Talos found that it spread to 54 countries.

Finally, in a surprise move late May 23, journalist Kevin Paulson tweeted that the FBI had seized control of the ability of the malware to regenerate itself after a reboot was performed on the host. The feds were able to do this when a court gave it control of one of the domains that was used as an hard-coded emergency backup control server by the malware.

A diagram of the VPNFilter botnet malware in action\r\n(Source: Cisco Talos)\r\n
A diagram of the VPNFilter botnet malware in action
\r\n(Source: Cisco Talos)\r\n

This allowed them to stop the Stage 2 and Stage 3 downloads from staring.

VPNFilter is a three-stage attack that allows persistence of infection by a first stage that reloads the malware after a reboot which normally will erase the malware. This is an extremely sophisticated technique that has only been seen once before in botnet malware.

The second stage has the main payload. This allows for file collection, command execution, data exfiltration, and device management. Worryingly, there is a destructive capability that can effectively "brick" the device if it receives a command from the attackers. It does this by overwriting a section of the device's firmware and then rebooting, which makes it unusable.

Stage 3 consists of plugins that work with the second stage.

There is another seemingly unique capability -- a packet sniffer for spying on traffic that is routed through the device. The sniffer can carry out the theft of website credentials, as well as the monitoring of Modbus SCADA protocols. There may be other modules for Stage 3 that have haven't been seen yet.

That Supervisory Control and Data Acquisition (SCADA) monitoring is the giveaway as to what this malware is all about. These modules are the gateways to the infrastructure of a country. The ability to cause these gateways to fail without recovery -- not to mention the routers the malware is hosted on -- would be devastating.

The sophistication and targeting of the malware makes it all but inevitable that a nation-state has created it. The recent Ukranian targeting, as well as the setup of a C&C server just for Ukranian sites, makes it probable that Russia is the originator. This follows previous attempts Russia made against Ukraine's infrastructure, according to the US Department of Homeland Security.

If a user finds the malware, Cisco found that rebooting will wipe Stage 2 and 3 but not Stage 1. Stage 1 can then reload Stages 2 and 3.

Stage 1 removal may require a hardware reset on the device which can also remove any stored configuration settings.

However, with the FBI taking control of the Stage 1 reload process, the back of the botnet has been broken. The threat to the Ukrainian infrastructure has been reduced greatly, unless Russia gets a second version out the door in short order. Even with the interdiction by the FBI, users need to remove all traces of the malware to be reasonably assured of safety from the current threat.

Symantec found the malware on the following devices:

  • Linksys E1200
  • Linksys E2500
  • Linksys WRVS4400N
  • Mikrotik RouterOS for Cloud Core Routers: Versions 1016, 1036, and 1072
  • Netgear DGN2200
  • Netgear R6400
  • Netgear R7000
  • Netgear R8000
  • Netgear WNR1000
  • Netgear WNR2000
  • QNAP TS251
  • QNAP TS439 Pro
  • Other QNAP NAS devices running QTS software
  • TP-Link R600VPN

Netgear is also advising customers that -- in addition to applying the latest firmware updates and the always useful changing of default passwords -- they should ensure that remote management is turned off on their router. Remote management should be turned off by default and can only be turned on using the router's advanced settings.

This is state cyberwar, brought to the user level. Even though this particular skirmish seems to have been won by the "GoodGuys," simply having a commodity device like a router can make one a participant in it. Perhaps this will make those who think security is for someone else realize that if you aren't part of the solution -- you are definitely part of the problem.

Related posts:

— Larry Loeb has written for many of the last century's major "dead tree" computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Enterprise Cybersecurity Plans in a Post-Pandemic World
Download the Enterprise Cybersecurity Plans in a Post-Pandemic World report to understand how security leaders are maintaining pace with pandemic-related challenges, and where there is room for improvement.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-09-22
The vCenter Server contains a local privilege escalation vulnerability due to the way it handles session tokens. A malicious actor with non-administrative user access on vCenter Server host may exploit this issue to escalate privileges to Administrator on the vSphere Client (HTML5) or vCenter Server...
PUBLISHED: 2021-09-22
The vCenter Server contains a denial-of-service vulnerability due to improper XML entity parsing. A malicious actor with non-administrative user access to the vCenter Server vSphere Client (HTML5) or vCenter Server vSphere Web Client (FLEX/Flash) may exploit this issue to create a denial-of-service ...
PUBLISHED: 2021-09-22
The Ninja Forms WordPress plugin is vulnerable to sensitive information disclosure via the bulk_export_submissions function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to export all Ninja Forms submissions data via t...
PUBLISHED: 2021-09-22
The Ninja Forms WordPress plugin is vulnerable to arbitrary email sending via the trigger_email_action function found in the ~/includes/Routes/Submissions.php file, in versions up to and including 3.5.7. This allows authenticated attackers to send arbitrary emails from the affected server via the /n...
PUBLISHED: 2021-09-22
Talend ESB Runtime in all versions from 5.1 to 7.3.1-R2021-09, 7.2.1-R2021-09, 7.1.1-R2021-09, has an unauthenticated Jolokia HTTP endpoint which allows remote access to the JMX of the runtime container, which would allow an attacker the ability to read or modify the container or software running in...